Blog » PRIVACY SHIELD 2.0? – THE NEW ERA OF PERSONAL DATA TRANSFERS TO THE USA
PRIVACY SHIELD 2.0? – THE NEW ERA OF PERSONAL DATA TRANSFERS TO THE USA
14 April 2022
Following the ruling of Court of Justice of the European Union in 2020, invalidating the Privacy Shield, it has become significantly more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. What changes will the new Transatlantic Privacy Shield Framework announced last month with a view to replace Privacy Shield bring for these EU companies? In this short article, we explain the principles of the new Framework and answer the above question.
Before presenting the new Transatlantic Privacy Shield Framework (“Framework”), it is necessary to sum up the background that makes the new rules on personal data transfers between the EU and the US necessary at all.
The legislation that preceded the new Transatlantic Data Protection Framework, the so-called Privacy Shield came into force in 2016. US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.
However, the GDPR, which entered into force in 2018, required a higher-level data protection from third countries. The Court of Justice of the European Union “(CJEU”) concluded in the 2020 Schrems II judgment that US law did not provide adequate judicial protection for those whose personal data transferred to the US was made available to national security organisations under the relevant US rules.
Consequently, the CJEU found that the Privacy Shield did not provide adequate protection under the GDPR and invalidated it.
The Schrems II judgment has left companies transferring personal data to the US in an uncertain situation, as they could no longer transfer personal data to the US under the Privacy Shield.
EU-US data transfers have of course not stopped, but parties making such transfers should apply a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the Commission, which we have described in detail in our previous article. 1
2. Basic principles of the Transatlantic Privacy Framework
The main purpose of the new Framework is to fill the gaps in the Privacy Shield and thus provide adequate safeguards for EU-US personal data transfers.
To ensure the above, the Framework will
- allow personal data to flow freely and safely between the EU and participating US companies;
- limit the scope of personal data accessible by US national security services to the extent necessary and proportionate;
- introduce a new two-tier redress system to investigate and resolve complaints of EU individuals regarding such access, in which the Data Protection Review Court is established;
- maintain strict obligations on companies processing personal data transferred from the EU, requiring US companies to continue to demonstrate compliance with the principles set out by the US Department of Commerce.
- introduce specific monitoring and review mechanisms.
3. Next steps
The EU and US will implement the principles now agreed into their respective legal systems. The US commitments will be translated into an Executive order, which will form the basis for a Commission adequacy decision.
4. What will be the benefits of the Transatlantic Privacy Framework?
Once the Framework is established, it will significantly simplify the procedures for companies that regularly transfer personal data to the US.
In fact, the adoption of the Framework will "restore" the situation prior to the Schrems II ruling, i.e. the data processing of US companies that have registered in the Framework will be assessed by the Commission as providing an adequate level of protection.
For companies, this could provide for simpler and less costly data transfers between the EU and the US, as they will not need to apply, monitor, and amend specific standard data protection clauses to ensure the lawfulness of personal data transfers to the US.
However, it should be noted that at this stage only the principles of the new Framework have been agreed between the EU and the US, so it is likely to be a longer period before the Framework is adopted. Until then, companies should continue to apply the standard data protection clauses.
Following the invalidation of the Privacy Shield, the situation for companies that transfer a large amount of personal data to the US has become more difficult, as companies now should apply specific data protection clauses to each transfer to the US.
The EU and the US would address this problem by establishing the Transatlantic Privacy Framework.
Based on the recently adopted principles of the Framework, the US will provide the effective legal protection that has been missing until now, as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.
Adoption of the Framework would significantly make it easier to transfer personal data from the EU to the US, but this is likely to be a long time coming, so companies will need to apply the general data protection clauses to their transfers in the meantime.
 Case No. C-311/18
5 KEY DIFFERENCES BETWEEN ARBITRATION AND LITIGATION IN HUNGARY
If you intend to pursue a claim against a Hungarian debtor, based on the contract on which a dispute is based, you may need to bring a case before an ordinary Hungarian court or to initiate Hungarian arbitration proceedings. In this short article we summarise the 5 key differences between the two procedures.Read more »
WHAT TO LOOK FOR BEFORE HIRING AN EMPLOYEE IN HUNGARY
In the field of labour law, we meet with strict rules which protecting the workers. The failure of compliance may result in not only consequences, but it can cause serious harm to the company’s reputation. Therefore, in this short summary we sum up the most important things that an employer needs to know before hiring an employee in Hungary.Read more »
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »